force-create-mode

force-create-mode is a Samba configuration parameter that forces specific permission bits to be set on newly created files on a share. It ensures that regardless of the permissions requested by the client, new files will always have certain minimum permission bits enabled. This is useful for enforcing a baseline security policy on files stored on a Samba share.

Purpose

• Enforce Baseline Security: Guarantees that all newly created files have a predefined set of permission bits, protecting them from being created with overly permissive settings.

• Consistent Permissions: Helps maintain a uniform permission policy across all files on the share, regardless of client-side requests.

How It Works

When a file is created on a Samba share:

1. The client's requested permissions are first filtered by the create mask.

2. Samba then applies the force create mode settings using a bitwise OR operation, ensuring that the specified bits are always set.

For example, if you set:

• create mask = 0660

• force create mode = 0640

This means that even if a client requests different permissions, the resulting file will always have at least read/write permissions for the owner and read permission for the group, within the limits of the create mask.

Configuration

You set force create mode in the share definition within your smb.conf file.

Example

[shared]
   path = /srv/samba/shared
   writable = yes
   create mask = 0660
   force create mode = 0640

• create mask = 0660: Limits the maximum permissions to read/write for the owner and group.

• force create mode = 0640: Ensures that every new file has at least read/write for the owner and read for the group.

Use Cases

• Security Enforcement: Ensures that all files have a minimum level of protection, preventing unauthorized access.

• Simplified Administration: Automates permission management, reducing the need for manual corrections after file creation.

• Mixed Environment Consistency: Helps maintain uniform permissions when files are created by users on different client systems.

Considerations

• Interplay with create mask: create mask sets an upper limit for permissions, while force create mode ensures that certain bits are always present. Both should be configured in tandem to achieve the desired permission set.

• Testing: Always test these settings on a small share before rolling them out to production, to confirm that the final permissions meet your security requirements.

Conclusion

The force-create-mode parameter in Samba is an effective way to enforce a baseline set of permissions on newly created files within a share. By guaranteeing that specific permission bits are always set, it helps maintain consistent security policies across your file system, ensuring that files are protected according to your organizational standards.